White Paper

Unified Approach For Regulatory IT Compliance Regulatory Compliance is critical for pharmaceutical and medical devices industry. Compliance is a legal requirement mandated by the regulatory agencies such as US FDA and EMEA. Compliance also makes good business sense – being compliant helps improve business results as it instills a culture of quality and accountability in the organization. Most importantly, compliance is the right (ethical) thing to do as human lives are at stake. Typical business and IT challenge faced by customers in this space are meeting regulatory compliance requirements of various regulatory agencies without affecting the core business processes, and building up a cost effective model for consistently ensuring compliance to all applicable policies and procedures. This white paper aims to draw the challenges faced by the Industry in achieving compliance and details of the unified approach that is being increasingly adopted by organization to bring in effective compliance.

Table of Contents 1. Introduction

3

2. Challenges in Regulatory IT Compliance

3

3. Adopting An Effective Regulatory IT Compliance Program

4

4. Execution Framework for Implementing Compliance Programs

5

5. Conclusion

8

6. Acknowledgements

8

7. Abbreviations Used

9

2

Introduction Pressure on innovation and technology adoption and the resultant increase in cost of regulatory compliance is forcing organizations to re-think their strategies to achieve compliance in an effective and efficient manner. This white paper aims to draw the challenges faced by the industry in achieving compliance under these pressured scenarios and approach adopted by organizations to overcome these challenges to bring in effective compliance on a continuous basis.

Challenges in Regulatory IT Compliance Constant deployment of technology solutions to create innovative products, to improve quality of life of patients has increased the scope of regulations to the IT systems deployed across the business processes. “Regulatory IT Compliance” deals with regulatory compliance for the IT systems deployed across the organization. The Regulatory IT Compliance challenges faced by customers in the Life Sciences and Medical Devices industry can be summarized as follows: 

Need for a specialized compliance group within the organization to comply with  The multifaceted regulations (GxP, Privacy, Fiscal, Health and Safety, Intellectual Patent Rights),  Face multiple regulatory bodies in a global setup  Adhere to new guidance / regulations  Adapting to changing interpretations for the existing regulations for increased patient safety.



As organizations seek to adopt new technologies and industry standards such as eCTD, CDISC, HL7 etc, the scope, complexity and volume of compliance requirements across the organization is increasing by the day. Maintaining systems based on existing technologies, and implementing new technologies in a compliant manner requires involvement on a continuous basis from the compliance group(s)



Poor documentation for existing systems, non-standardized / out dated SOPs, and low awareness among team members on the compliance requirements is posing a high risk leading to lack of audit readiness.



Inefficiencies in the compliance life cycle including long documentation review and approval cycles, policy inconsistency, lack of quality resources for performing compliance activities and no single point accountability for compliance readiness across the organisaiton.

Organizations today are aiming to implement an effective Regulatory IT Compliance Program that integrates compliance strategy with the business and IT strategies, and governance structure. The Regulatory IT Compliance Program should: 



Address the implications on “Right-To-Operate” due to adoption of newer technologies (SOA, Open Source, SaaS etc) and standards (CDISC, SAFE Digital Signatures, eCTD). Meet the challenge to achieve continuous state of compliance with improved operational and cost efficiencies. 3

 

Adopt a risk-based management framework to Regulatory IT Compliance Achieve state of audit readiness to face regulatory authorities at any time.

This white paper presents an approach that is increasingly being adopted in implementing an effective Regulatory IT compliance program by leading industry players.

Adopting An Effective Regulatory IT Compliance Program Organizations typically have specialized compliance groups for interpreting, planning, and implementing different regulatory requirements. Though these groups strive for effective coordination with each other, the organizational processes and governance structures may not allow for an optimized compliance operational model. Some of the challenges faced in such a setup are as follows: 







Multiple regulations have overlapping requirements resulting in duplication of compliance efforts spent by these specialist groups. System integration with various business process / functions requires unified interpretation and implementation of compliance effort. Typically, the IT team is expected to do the analysis, which is then ratified by business quality representative. In the absence of a harmonized process for all applicable regulations, and the ever present need for ‘speed to business value’, some ‘gaps’ in compliance could occur. Managing differences in compliance strategies across business areas and technologies results in varied level of compliance maturity within the organization. Adoption of IT applications across the business processes in an organization is at various stages of software development life cycle requiring varied level of involvement by various groups.

As a result, the organization on the whole could end up with: 

High cost of compliance due to rework and sub-optimal utilization of compliance resources.



IT teams struggling to find the appropriate compliance processes (including templates) that would apply for complex scenarios of application rollout.



Uncertainty for audit readiness for various regulations / regulatory bodies.



Lack of a core team of specialists qualified to provide compliance advice across multiple regulations, and technologies.

To overcome these challenges, organizations are increasingly looking to adopt a Unified Regulatory IT Compliance program. A unified compliance program operates as a centralized compliance unit which handles various regulatory authorities / requirements across the organization. The centralized operation creates controls and governance models for each business area and regulatory requirement.

4

The role of the unified compliance program typically includes (but not limited to) the following: Creating a common pool of compliance consultants that provide compliance services to all business IT units across the organization through a ‘Compliance Service Desk’ approach, much like providing centralized IT infrastructure and application services support.  Define a corporate level roles and responsibilities matrix for performance of compliance activities and ensuring its implementation globally.  Managing the spikes and lows in compliance resource demand across the organization to achieve economies of scale and optimal compliance resource utilization.  Evolving a common compliance approach and create a culture of knowledge and best practice sharing within the organization across compliance, IT and business teams.  Manage repository of reusable information assets, checklists, templates, training presentations, to optimize information re-use and ‘right sizing’ of compliance effort.  Defining metrics and monitoring the compliance program across organization.  Develop methodologies for standarised compliance related documentation.  Continuous process improvement for compliance processes including implementation of methodologies such as Six Sigma. The unified compliance program should span across the entire IT infrastructure, business applications, and the business processes and seek to minimize the challenges faced due to system integration, duplication of compliance effort, and maintaining enterprise-wide quality framework in a dynamic organization and regulatory environment. 

Execution Framework for Implementing Compliance Programs The challenges faced in running a unified compliance program are Unified interpretation and adoption of the compliance program across the organization. Availability of associates with the right experience of technology, regulatory and business knowledge.  Effective resource management in meeting compliance demand Global Pharma and Medical Devices organizations are adopting various strategies to address these challenges. 



The following sections discuss these strategies in detail. Process-based Approach to Compliance A process-based framework aims to streamline the compliance processes and maintain the systems in a continuous state of compliance, and audit preparedness. Process-based frameworks typically have the following features: 



Risk Management. A risk management framework ensures that risk assessments are performed by the right people, at the right time, and the results are documented appropriately to enable adoption of a riskbased right sizing of compliance effort and deliverables. Compliance Monitoring Program – Use of metrics for measuring compliance effort and manage resource 5

demand. When Compliance is treated as a service provided by the Compliance teams to stakeholders, it involves defining Service Level Agreements (SLAs) for compliance activities, and adopting continuous process feedback and improvement processes.  Change Management for managing adhoc, planned changes. The change management process should mandate creation of artifacts for documentary evidences, such as Note-To-File, Memo-To-File, Justification for Continued Business Use (in case of deviations), and so on.  Knowledge Management – Use of asset repository to enable right sizing validation effort, continuous monitoring and ensuring training compliance. Process-based approach enables standardization in achieving compliance, while bringing down the cost of ownership, and the time and effort required for maintaining application portfolio over a period of time. This ensures business continuity and speed-to-business value of compliance services. Outsourcing Compliance Program to an External Service Provider The centralized compliance operations are being outsourced to qualified vendors to manage the compliance efficiency and demand. The following diagram shows the phased approach that organizations could adopt for effective compliance outsourcing, minimizing the risks and maximizing the return on investment.

Consolidation Process Optimisation Process Transition Process Improvement Independent Compliance Services Bundled Services Low Cost Resource Model

6

As can be seen in the above diagram, the outsourcing starts typically with an effort based model where transaction based outsourcing is done. The model then matures to application-specific services where compliance services are offered as part of application development / upgrade/ maintenance. Once the compliance outsourcing model stabilizes, the running of entire compliance program is outsourced to a single partner. At the next level of compliance outsourcing, the entire organization is looked for compliance process improvement and a process transition is adapted where by compliance services is combined with risk management framework to improve the compliance maturity and reach process optimisation. Finally compliance is consolidated across business areas and geographies to achieve continuous state of compliance and audit readiness by a outsourced partner. Most of the companies are at a stage of running an independent compliance program from an outsourced partner. Companies are overcoming the challenge of process standardization by harmonizing the process before outsourcing to vendors so that the cost is minimized and standardization of delivering the services is not compromised. Beyond Outsourcing to an External Service Provider Another key step towards outsourcing compliance has been to adopt an onsite-offshore model for carrying out the compliance services to enable cost savings and time savings.

Full Service Phase

• 80 - 20 Onsite Offshore Offshore Services • Low risk systems • Document authoring • Periodic reviews • Metrics Management • 100% onsite • Compliance Office Setup

Extension Phase Stabilization Phase

Offshore Activities

Transformation Phase

Typically companies start at onsite and slowly move low risk activities to offshore and scale up over time to running the entire compliance services from an offshore location. Typical phased approach to an onsiteoffshore compliance services adopted by companies is described below.

Validation Project Mgmt Periodic Reviews Business Integration Compliance Dashboard Metrics • Technical Writing • • • •

6 month

• Risk assessment • Library Management • Change management process • Network, platform qualifications • System Retirement

6-12 month

• 50-50 Onsite -Offshore Offshore Services • Risk assessment • System retirement • Validation Planning for less complex systems

Validation Consulting Training management SOP Management Quality Program Monitoring • Audit readiness support • • • •

12-18 month

• 20-80 Onsite -Offshore Offshore Services • Validation planning for complex systems • Compliance monitoring • Training

• Compliance Monitoring Program • Vendor evaluation • Training compliance monitoring • Continuous improvement process • Validation library maintenance